As Internet technology continues to become more widely used, network security issues are becoming much more prominent. In particular, Trojan Horse types of malware processes have resulted in the theft and destruction of important information. A Trojan Horse is a type of malware that is downloaded to an unsuspecting user's device and that proceeds to gain privileged access to the operating system and/or installs malicious code onto the device. Often times, a Trojan Horse provides unauthorized access to the user's device to a malicious party. Malicious parties may take advantage of such unauthorized access to steal information and/or otherwise cause harm to the user's device.
One type of conventional Trojan Horse detection technique is as follows: extract sample code from a process that has not yet been determined to be related to a Trojan Horse, compare the sample code to one or more feature codes associated with known Trojan Horse process feature codes saved in a Trojan Horse feature database. If a match is can be found, then determine the process to be related to a Trojan Horse process.
In the conventional Trojan Horse detection method described above, processes that have trustworthy signature information (e.g., processes with sample code that does not match feature code associated with any known Trojan Horse processes or trustworthy processes found on white lists (e.g., processes with sample code that matches feature codes associated with known non-malware processes) are generally not subject to Trojan Horse detection. However, such detection techniques may not detect an injection-type Trojan Horse. When an injection-type Trojan Horse process is executed, it first launches a process. The process may be any process that is not determined as a malware process because it does not match feature code associated with a known malware process and/or any process that is not determined as a malware process, instead, it matches feature code associated with a process that is included in a whitelist. Before the launch of this process is completed, the injection-type Trojan Horse process pauses the process and writes its own malicious code into the memory image associated with the process. The injection-type Trojan Horse process then resumes the launch of the process. In this way, the injection-type Trojan Horse can evade conventional techniques of Trojan Horse detection.
In a specific example, an injection-type Trojan Horse process may launch the process of a notepad process (notepad.exe). This notepad process is not considered as a malware process because it has trustworthy signature information (e.g., a sample of its code may be matched to code found in a whitelist). Before the launch of this notepad process is completed, the injection-type Trojan Horse process pauses this notepad process and writes its own malicious code into the memory image of the notepad process. The injection-type Trojan Horse process then resumes the launch of the notepad process.
After the launch of the notepad process is completed, this notepad process becomes associated with a Trojan Horse process, and since this notepad process has trustworthy signature information, conventional Trojan Horse detection techniques may not be able to detect the malware. Therefore, the notepad process is transformed into a puppet process of an injection-type Trojan Horse process. The injection-type Trojan Horse process acts in a manner that is equivalent to putting on an outer layer of clothing over a malicious process to avoid the conventional Trojan Horse detection techniques.